Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow configurable time for ES output #921

Closed
markwalkom opened this issue Feb 4, 2016 · 19 comments
Closed

Allow configurable time for ES output #921

markwalkom opened this issue Feb 4, 2016 · 19 comments

Comments

@markwalkom
Copy link
Contributor

Here we state;

# Optional index name. The default is "filebeat" and generates
    # [filebeat-]YYYY.MM.DD keys.
    index: "filebeat"

But we don't allow the YYYY.MM.DD to be configurable.

This isn't ideal as users cannot do anything but daily indices without putting Logstash in the pipeline.

@ruflin
Copy link
Contributor

ruflin commented Feb 4, 2016

An older discussion about this can be found here: https://github.com/elastic/libbeat/issues/318 It's a good time to close the older one and reference to this one here.

Somehow related: #574

@ruflin
Copy link
Contributor

ruflin commented Feb 4, 2016

@markwalkom Is the goal to just make it possible to not have a pattern, or that the output would recognize different output patterns? Can you give some examples?

@markwalkom
Copy link
Contributor Author

Sure.

Hourly, weekly, monthly indices. Not non-time based though.
On 4 Feb 2016 5:57 pm, "Nicolas Ruflin" [email protected] wrote:

@markwalkom https://github.com/markwalkom Is the goal to just make it
possible to not have a pattern, or that the output would recognize
different output patterns? Can you give some examples?


Reply to this email directly or view it on GitHub
#921 (comment).

@ruflin
Copy link
Contributor

ruflin commented Feb 4, 2016

That would mean it has the following logic (abstract code)

var index = config.indexname
var pattern = config.pattern

// Pattern not set falls back to default pattern
if pattern == nil {
    pattern = "YYYY.MM.DD"
}


// Empty pattern means pattern is not used
if pattern != "" {

    // Append pattern to index based on timestamp
    pattern = ParsePattern(config.pattern, time.Now())
    index = index + "-" + $PATTERN
}

Would that work, assuming we can interpret common pattern with ParsePattern?

@markwalkom
Copy link
Contributor Author

Looks OK.

You can do this with LS, not sure how go handles it!
On 4 Feb 2016 6:51 pm, "Nicolas Ruflin" [email protected] wrote:

That would mean it has the following logic (abstract code)

var index = config.indexname
var pattern = config.pattern

// Pattern not set falls back to default pattern
if pattern == nil {
pattern = "YYYY.MM.DD"
}

// Empty pattern means pattern is not used
if pattern != "" {

// Append pattern to index based on timestamp
pattern = ParsePattern(config.pattern, time.Now())
index = index + "-" + $PATTERN

}

Would that work, assuming we can interpret common pattern with
ParsePattern?


Reply to this email directly or view it on GitHub
#921 (comment).

@gr0
Copy link

gr0 commented Feb 5, 2016

Would it be possible to have the index and pattern concatenation part also configurable, so that we could have indices like index_pattern, not only index-pattern?

@markwalkom
Copy link
Contributor Author

@gr0 you mean _ and - as the separator?

@gr0
Copy link

gr0 commented Feb 6, 2016

@markwalkom yes, so one could actually have the index pattern that matches the rest of the sources and not ending up with multiple index name patterns or having to modify the rest of the setup to include beats.

For example, if would be nice, to be able to have patterns like [filebeat_]YYYY-MM-DD or [filebeat_]YYYY.MM.DD depending on the needs. Of course with some nice default if the user doesn't want to configure the pattern and just want beats to take care of that.

What do you think?

@UserNotFound
Copy link

I'd vote for duplicating how logstash parses this option, at a minimum.

@ruflin
Copy link
Contributor

ruflin commented Feb 9, 2016

As a reference here is the way LS does it: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-index

@UserNotFound You mention "at a minimum". What are the limitations for you with the LS approach?

@UserNotFound
Copy link

@ruflin I have not encountered any limitations, I would just like to be able to name all of my indexes consistently across my environment.

@ruflin
Copy link
Contributor

ruflin commented Feb 11, 2016

@UserNotFound Ok. I was asking because if we implement this similar to LS it would be good to know if there are some limitations with the LS approach and we could improve on top of it.

@anhlqn
Copy link

anhlqn commented Apr 11, 2016

Just gave winlogbeat a try today since we are using Solarwinds LEM to gather Windows events. Looking forward for this enhancement to be implemented because:

  • I want to limit the number of index/shards for windows event log indexes. Even with 2 shards per indexes, they are still a lot
  • Not having to add another layer of LS would save some resources, redundancy issue, and headead ofc

@ruflin
Copy link
Contributor

ruflin commented Apr 27, 2016

@markwalkom Could this one help here? elastic/elasticsearch#17814

@markwalkom
Copy link
Contributor Author

Yes, but only if the user uses the ingest node.

On 27 April 2016 at 21:09, Nicolas Ruflin [email protected] wrote:

@markwalkom https://github.com/markwalkom Could this one help here?
elastic/elasticsearch#17814
elastic/elasticsearch#17814


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#921 (comment)

@ruflin
Copy link
Contributor

ruflin commented Apr 28, 2016

@markwalkom So either ingest node or LS can be used, so question is if this feature would still be needed on the beats side (if we not talk about older ES versions).

@markwalkom
Copy link
Contributor Author

But if you use direct to ES this still matters, so I think it's still a
good option to have.
On 28 Apr 2016 9:09 pm, "Nicolas Ruflin" [email protected] wrote:

@markwalkom https://github.com/markwalkom So either ingest node or LS
can be used, so question is if this feature would still be needed on the
beats side (if we not talk about older ES versions).


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#921 (comment)

@ruflin
Copy link
Contributor

ruflin commented Jul 5, 2016

There is now also a new "rollover" API which is also interesting here: https://www.elastic.co/guide/en/elasticsearch/reference/master/indices-rollover-index.html

@tsg tsg mentioned this issue Jul 21, 2016
tsg pushed a commit to tsg/beats that referenced this issue Jul 21, 2016
This transforms the fixed index into a pattern, somehow similar to how
Logstash is doing it. However, logstash is using the Joda format, for which
we don't have Go libraries. So instead of writing `filebeat-%{+YYYY.MM.dd}` you
would need to write `filebeat-%{+2006.01.02}` (i.e. layout by example).

Because the Go layouts don't support ISO 8601 weeks, in order to support weekly
indices, the special `isoweek` keyword was introduced, which is the equivalent
of Joda `xxxx.ww`. The layout `filebeat-%{+isoweek}` results in `filebeat-2016.29`
for today.

Part of elastic#2074. Closes elastic#921.
@tsg
Copy link
Contributor

tsg commented Aug 8, 2016

Implemented in #2119.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants